MS10-020: SMB Client Update

Today Microsoft released MS10-020, which addresses several vulnerabilities in the Windows SMB client. This blog post provides additional details to help prioritize installation of the update, and understand the attack vectors and mitigations that apply.

Client-side vulnerabilities

The first thing to realize is that this update addresses vulnerabilities in the SMB client in Windows. Typically, machines that act as SMB clients are Windows client machines, not server machines. However, it is possible for a Windows server machine to also act as a SMB client, and depending on the server role and software being used it may be a common scenario. For example: Terminal Server scenarios; logging on to a server as an administrator and accessing files on the network; Servers that mirror content from another SMB server.

It should also be noted that the Browser service, which runs by default on both client and server machines, could be used to facilitate an attack without user interaction. (See http://support.microsoft.com/kb/188001 for more details on the Browser service).

Attack vectors

Unlike server-side vulnerabilities, an attacker cannot simply scan for vulnerable systems and then open connections to attack targets. For an attacker to exploit any of these issues they would have to force a SMB client to make a connection to a malicious server. In general this kind of attack is done in several ways:

E-mail containing links to external web or file servers. (The attacker lures the target into clicking a link and visiting the malicious server.)

Similar to above, but with messages sent via instant-messenger or social-networking services.

HTML e-mail or web-pages containing embedded links to malicious file serves. With some applications, these links may be automatically visited without user interaction.

In all cases, for an attacker on the Internet to be able to exploit these vulnerabilities, the target client machine must be able to make an outbound SMB connection to the malicious server. Firewall best practices recommend blocking outbound (and inbound) SMB traffic (TCP ports 139 and 445) at the perimeter firewall, preventing this attack from succeeding.

That leaves attacks originating from inside the local network (a.k.a. the intranet) – either from a malicious user on the network, or from a compromised machine that is being used as a pivot to reach other targets. In some cases, it may be possible for an attacker on the intranet to hijack legitimate SMB client connections for the purpose of carrying out attacks. As mentioned above, an attacker may cause the Browser service on target computers to make a connection to a malicious SMB server on the local network, potentially without any user interaction.

Mitigations

As explained above, the best mitigation against attacks coming from outside the network perimeter is to block inbound and outbound SMB traffic at the edge firewall. This will prevent attackers on the Internet from being able to lure client machines into connecting to them.

Blocking attacks from the intranet is harder. The best solution is to apply the security update. Other steps that can be taken to reduce risk are to enable SMB signing, so that malicious SMB servers will not be able to establish communication with target clients.

April 13th Update: Added information about the Browser service. We'd like to thank security researcher Laurent Gaffié for helping us clarify the risk.

- Mark Wodrich, MSRC Engineering

*Posting is provided "AS IS" with no warranties, and confers no rights.*